Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/7/2015
08:10 AM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

What Happens When Personal Information Hits The Dark Web

Experiment tracked the journey of a cache of phony names, SSNs, credit cards, and other personal information.

The bait--a trove of phony "stolen" data including several thousand Social Security numbers, credit cards, names, and email addresses--was swallowed within the first few days of being planted in the Dark Web. And when the 12-day experiment was over, the data had traveled to more than 22 different countries and been viewed nearly 1,100 times.

The experiment conducted by security vendor BitGlass was aimed at getting an inside look at just what happens after cyber criminals siphon personal information from retailers and other breached organizations. BitGlass researchers generated a list of 1,568 phony names, SSNs, credit card numbers, addresses, and phone numbers, rolled them in an Excel spreadsheet and then "watermarked" it with their code that silently tracks any access to the file.

They dropped the file on DropBox, as well as on seven infamous black market sites including Onion-pastebin and Paste-slampeech, and watched its journey across five continents, North America, Asia, Europe, Africa, and South America. In the end, it was downloaded by 47 different parties. It was mainly grabbed by users in Nigeria, Russia, and Brazil, with the most activity coming from Nigeria and Russia.

"Our goal was to see how liquid the market is for breached data," says Nat Kausik, CEO of Bitglass. "We were curious to see what happens to it after a breach."

Kausik says the experiment showed how people who frequent the cyber underground markets overwhelmingly preview the data to vet it. "People do cross-examine it and download it, looking for breached data," he says.

There was a significant participation of users from university networks overseas as well, he says, most likely because that's where open WiFi is most available.

The researchers were unable to see beyond the file's movements, but Kausik says once someone tried to use one of the "stolen" credit card numbers to make a purchase, for example, the transaction using a phony account ultimately would fail and the buyer would then realize he or she had been duped.

"We didn't put it up for sale," he says of the phony data sample file that BitGlass named "Employees.XLS."

The researchers spotted some forum users contacting the sources of other posted stolen data for more information on how to buy it in bulk. "We didn't post any contact information [with our file], so we don't know if the recipients were interested in buying more," he says.

Bitglass's watermark "phones home" when a file is opened or downloaded, grabbing IP address, geographic location, and the type of device accessing it.

The biggest takeaway of the experiment, Kausik says, was how easy it is to sell stolen information. "There is a well-established online marketplace" for it, he says.

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
anon5164936000
50%
50%
anon5164936000,
User Rank: Apprentice
4/12/2015 | 4:23:15 AM
How they tracked the spreadysheet?
It looks like they just used the same tracking/tagging technology (but calling it "watermarking") as ReadNotify have been doing for over a decade.
anon8645060756
50%
50%
anon8645060756,
User Rank: Apprentice
4/9/2015 | 12:01:40 PM
Which sites received the most attention?
I would love to know whether the file was picked up from DropBox as well as the more nefarious sites.  We have users who want to use DropBox and I'd love to have a real-life example of why we don't want them to use it.

Yes, I know there are security settings, but I would venture to guess that all of my users don't know what those are and/or wouldn't bother to use them.
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
4/8/2015 | 4:32:50 PM
1,100 views...
I can't decide if 1,100 views seems like a lot or not very many at all. I guess I would have expected that number to be higher, but then again, I imagine that the competition is pretty stiff on the black market -- high quality data from trusted sellers.
macker490
100%
0%
macker490,
User Rank: Ninja
4/8/2015 | 9:02:58 AM
you will not have learned anything useful
You should follow Brian Krebs

the people who deal in stolen dox pride themselvs in selling only quality stuff.   and their reputations rely on it.   it is very unlikely that this data will be offered by any reputable darknet dealer
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
4/7/2015 | 5:19:57 PM
Re: Honeypot
They kept it relatively low-key and generic, and didn't offer any "for sale" information, etc., so the file was more of a phony sample of stolen stuff. It's probably no more risky than a honeypot. 
RyanSepe
0%
100%
RyanSepe,
User Rank: Ninja
4/7/2015 | 2:47:45 PM
Honeypot
Interesting to see the tracking of how fast the data moved and to what purpose in what used. I can't help but feel this is a very similar practice to a honeypot however. And I think that with this premise you would draw the same type of attention. 

The practice of bating a malicious person is a dangerous concept in its smallest measurements. But when the bated individual turns out to be a nefarious user with expert level knowledge then the situation becomes truly dangerous. If I were BitGlass, I would be wary of running these experiments with that scope. Wouldn't want to become the target of an unscrupulous hacker with a vendetta.

 
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-24368
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
CVE-2021-31664
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-33185
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
CVE-2021-33186
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
CVE-2021-31272
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.